CVE-2022-24434

Question

CVE-2022-24434

chkp-idoma opened this issue 3 years ago · 8 comments

Hi,
Please fix CVE-2022-24434
need to make sure to update dicer to be <= 0.3.1
(by updating multer when possible - please follow expressjs/multer#1095)

npm ls output:

-- routing-controllers@0.9.0 -- multer@1.4.4
-- busboy@0.2.14 -- dicer@0.2.5

Answer 1 · 2022-06-03T06:28:21.000Z

Hi
Is there no released version to fix this problem?.
This repo is dead, right?
It's been over a year and there no one new releases.

Answer 2 · 2022-06-07T15:05:33.000Z

Facing a similar issue on performing a Snyk scan - https://security.snyk.io/vuln/SNYK-JS-DICER-2311764
The package version remains to be the same as mentioned above

Answer 3 · 2022-06-07T19:42:11.000Z

any update?

Answer 4 · 2022-06-12T13:03:08.000Z

It seems we have no choice but to replace to a better maintained alternative such as https://github.com/tsedio/tsed to resolve this high severity CVE. Any other ideas?

Answer 5 · 2022-06-13T11:22:29.000Z

@look4regev @chkp-idoma - as fas as I understand the vulnerability occurs only if you expose a route with file upload.
Also, because this project isn't maintained, you can fork this project and update the related dependency. I tried this and the project tests pass (after making a small correction), but I didn't do any other tests (degradation)

Answer 6 · 2022-12-09T16:22:01.000Z

Should be fixed

Answer 7 · 2022-12-13T15:27:40.000Z

Thanks! The new release (v0.10.0) looks packed with goodies. Much appreciated.

Answer 8 · 2023-01-13T01:41:04.000Z

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.